[Firehol-support] Link Balancer, marks & NATed servers

Tsaousis, Costa costa at tsaousis.gr
Tue Nov 28 14:59:23 GMT 2017 

I think it should say:

 - this action is used to write the fwmark on an IP packet, at the kernel

It really adds the mark at the packet. But at the internal representation
of the packet. The mark does not appear on the wire.

connmarks actually attempt to restore the mark on the packets (inside the
kernel), based on the connection itself.
So, you mark one packet, then connmark saves this at the connection tracker
table, and later the mark is restored on all packets of that connection.

In all cases, marks are inside the Linux kernel.
They never leave that environment.

Costa


On Tue, Nov 28, 2017 at 4:47 PM, Whit Blauvelt <whit at transpect.com> wrote:

> Hi Costa,
>
> Thanks for the answer. So fwmarks can never be within packets? Or just
> connmarks? Reading elsewhere. I get the impression that whereas connmarks
> are only in the local kernel's connection tracking table, marks can also be
> on packets. For instance the article, "Load balancing using iptables with
> connmark"
> (http://www.system-rescue-cd.org/networking/Load-balancing-
> using-iptables-with-connmark/)
> says:
>
>   The connmark target
>
>   An ipfilter target is a module that runs an action. We will need both the
>   MARK target to put a mark on a packet, and CONNMARK to manage the
> netfilter
>   state table:
>
>     -j MARK --set-mark: this action is used to write the fwmark on an IP
>     packet. The value of the mark is given as a parameter of this action.
>
>     -j CONNMARK --save-mark: this action is used to write the fwmark of a
>     packet in the state table (from packet to state table)
>
>     -j CONNMARK --restore-mark: this action is used to write the fwmark of
>     the state table in the ip packet (from state table to packet)
>
> This says marks can be either "on a packet" or in "the netfilter state
> table." What might be ambiguous is whether "on a packet" is the same as "in
> a packet." Or if it means "in a packet but stripped out before being sent
> on
> the wire." If "on a packet" is neither "in the packet" nor in the state
> table, where is it? Another table in the kernel? A sort of wrapper around
> or
> extension on the packet that's stripped off as it's sent to the wire?
>
> I just want to be clear on whether "marks never appear on the wire" is just
> in the Link Balancer context, or a limitation of fwmarks in all uses.
>
> Thanks,
> Whit
>
> On Tue, Nov 28, 2017 at 02:25:41AM +0200, Tsaousis, Costa wrote:
> > Hi,
> >
> > no, marks never appear on the wire. They are mainly a mechanism for
> building
> > complex rules, within a single host.
> >
> > Costa
> >
> >
> > On Mon, Nov 27, 2017 at 4:59 PM, Whit Blauvelt <whit at transpect.com>
> wrote:
> >
> >     Let me simplify this question: Are the marks that Link Balancer
> places on
> >     packets at a gateway/firewall also utilizable by instances on the
> LAN, also
> >     running Link Balancer, to route packets out back out through that
> >     gateway/firewall, in a multiple gateway/firewall setup?
> >
> >     Yes, I can engage in experiments to see. But it's always nice to
> know if
> >     something's theoretically sound before stumbling through experiments.
> >
> >     Thanks again,
> >     Whit
>

More information about the Firehol-support mailing list